Report: Microsoft Edge apparently leaking all websites you visit to Bing API

I personally use Firefox, but double checking the GET request sent by M.S. Edge to the mentioned API, and keeping in mind the well structured JSON like wrapped data, it seems more than a simple leak!  As little as I know, it clearly looks like a well designed future/function of the Edge browser telemetry, aimed at collecting users' usage statistics, considering each Local/Session/Shared/Cache Storage element (under DevTools) that is being passed on.

A bug? Its a feature. That is why I disabled "Show suggestions to follow creators in Microsoft Edge" from the getgo, how else can it send suggestions other than monitoring your web usage. You can make edge private by downloading edge group policy, going through it with a fine tooth comb; as well as through everything under the settings page. One privacy setting missing from group policy is disabling sending everything you type in private messages, social media, and forms to the cloud; enabled by default, which can be disabled under 'settings / languages'. Never login to and sync edge browser directly, and do not login to bing or an ms account in your primary edge browser, use a dedicated edge browser for bing chat / ms accounts, like the beta or dev channel; or  binggpt: https://github.com/dice2o/BingGPT  Use a unique non identifiable email for your dedicated bing chat account. Block all cookies and site data to [*.]msn.com, [*.]microsoft.com, [*.]live.com, [*.]bing.com in your primary browser to prevent MS edge cookie tracking; and hosts block assets.msn.com, browser.events.data.msn.com, browser.events.data.microsoft.com, and  www.google-analytics.com; three domains edge uses for telemetry that cannot be blocked by any other means. There are a number of settings under edge://flags : Block insecure private network requests., Strict-Origin-Isolation, Partitioned cookies, and Anonymize local IPs exposed by WebRTC, that help privacy while browsing also. Do not use smartscreen period [i recommend an av with the highest offline detection rate https://www.neowin.net/news/av-comparatives-finds-microsoft-defender-has-one-of-the-poorest-offline-detection-rates/ ] and change your default search engine to brave search. Blocking cookies to [*.]bing.com will render all bing searches private/non identifiable, only connected to IP.

Given Edge has 'super secure mode' which blocks JIT compiler, and enforcing AGC exploit protections on the render process and other areas of the browser, rendering 99% of  zero-day exploits impossible, including by nation states, edge is by far the most secure browser... but it takes some effort making it private. https://community.brave.com/t/option-to-disable-jit-compilation/43768/6

Chrome is lightyears ahead security wise than firefox: https://madaidans-insecurities.github.io/firefox-chromium.html

The biggest concern that remains is the future of chromium extensions and adblocking with Manifest V3; which if dictated to its userbase in current form will increase cybercrime and tracking dramatically. Even the FBI does not recommend browsing without a decent adblocker for this very reason.

9 hours ago, wang_bam said:

Chrome is lightyears ahead security wise than firefox: https://madaidans-insecurities.github.io/firefox-chromium.html

Well, that is the opinion of one person, claimed more than a year ago.  I do not want to reference tons of articles that argue otherwise (even if you use Google to search for it!) but claiming that Chrome is light years ahead security wise than Firefox (an open source project) is just absurd my friend.

Its called research, not opinion. I've seen propaganda out there suggesting otherwise. What I care about is the data. Firefox is much less of a privacy concern but years behind Chrome, edge especially, in terms of security. 

https://www.makeuseof.com/what-is-the-most-secure-browser-for-windows/

https://www.forbes.com/advisor/business/software/secure-browsers/

https://www.safetydetectives.com/blog/which-is-the-most-secure-web-browser-to-use-in/#Chrome

https://vpnpro.com/blog/most-secure-browser/

https://restoreprivacy.com/browser/secure/

https://www.bitcatcha.com/blog/most-secure-browser/

https://www.cyberghostvpn.com/en_US/privacyhub/most-secure-private-browsers/

https://www.beringer.net/beringerblog/which-is-the-most-secure-web-browser/

...and the list goes on.  While I respect your opinion/research, many researchers in the field disagree with you on this notion my friend.

Three of those list brave as number 1; Its true that Brave is more secure than Firefox; however not a single article you share goes into any depth or fact based research what-so-ever. Read the articles I cite, they do.  Sadly, #1 is Edge is currently the most secure browser on the market.  Firefox isn't designed to effectively disable JIT without losing java functionality; that alone translates to automatic increase of attack surface by 50%;  Nor has firefox made much progress integrating windows exploit mitigations... nor does it leverage intel/amd hardware-backed exploit mitigations such as shadow stack protections; and the windows hardware backed sandbox; which edge has done for quite some time. Firefox is lightyears behind.

"Microsoft Edge already takes advantage of advanced protections like Code Integrity Guard (CIG) and Control Flow Guard (CFG). As of Microsoft Edge 98, Control-flow Enforcement Technology (CET) and Arbitrary Code Guard (ACG) will be enabled in the renderer process when a site is in enhanced security mode. These additional mitigations prevent dynamic code generation in the renderer processes and implement a separate shadow stack to protect return addresses. Moreover, we are quite excited that Microsoft Edge now supports both forwards and backwards control-flow protection. By applying these protections, we can provide defense in depth that spans beyond JIT attacks." https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge/

Thus far, Microsoft, being the developer of windows, integrated windows advanced security mitigations into edge browser more effectively than the competition; Where it lacks is in the privacy department. It takes substantial efforts to mitigate the draconian privacy violations inherent in edge and windows itself (efforts that in my circumstance are worth it); whereas browsers such as Brave and tor are private by default.

Other Security Researchers' Views on Firefox: Many security experts also share my views about Firefox, and a few examples are listed below:
 

thegrugq, information security researcher:
Tor and its Discontents
https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
Kenn White, security researcher:
https://twitter.com/kennwhite/status/804142071133126656
PaXTeam, developer of PaX:
https://archive.fo/9aBLk
Daniel Micay, lead developer of GrapheneOS:
https://grapheneos.org/usage#web-browsing
Matthew Garrett, Linux developer:
https://news.ycombinator.com/item?id=13800323
Dan Guido, CEO of Trail of Bits:
https://news.ycombinator.com/item?id=13623735
Theo de Raadt, lead developer of OpenBsd:
https://marc.info/?l=openbsd-misc&m=152872551609819&w=2
Thomas Ptacek, co-founder of Latacora and Matasano Security:
https://twitter.com/tqbf/status/930807512609296384,
https://twitter.com/tqbf/status/930860544927649792,
https://twitter.com/tqbf/status/830511154950766595
qwertyoruiopz, iOS exploit developer:
https://twitter.com/qwertyoruiopz/status/805887567493271556,
https://twitter.com/qwertyoruiopz/status/730704655748075520
John Wu, Android security engineer:
https://twitter.com/topjohnwu/status/1105739918444253184,
https://twitter.com/topjohnwu/status/1455606288419733505
Chris Rohlf, security engineer:
https://twitter.com/chrisrohlf/status/1455549993536966671
Matthew Green, cryptographer at Johns Hopkins University:
https://twitter.com/matthew_d_green/status/830488564672626690
Bruno Keith, security researcher at Dataflow Security:
https://twitter.com/bkth_/status/1265971734777380865
Niklas Baumstark, security researcher at Dataflow Security:
https://twitter.com/_niklasb/status/1131129708073107456
The Tor Project investigating ways to harden the Tor Browser; in particular, they conclude that Firefox is too poorly written for them to apply PaX's Reuse Attack Protector (in comparison, RAP can be applied to Chromium with relatively little effort):
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Hardening
Alex Gaynor, former Firefox security engineer and sandboxing lead:
https://news.ycombinator.com/item?id=22342352

OK, it's getting too long of a conversation for it's good.  So in short, to be polite and respond:

1.  Brave or any other browser being ahead of FF does not back up your original claim.

2.  Bunch of social media/blog posts (Twitter, Medium, etc.) does not count as a valid reference.

3.  My whole argument was "to claim that FF is light years behind Chrome" is absurd.  I did not claim FF does not have security/privacy issues.

4.  For a non-profit open source project to be able to compete with the big names such as Microsoft or Google means that project is doing pretty much well and stands neck to neck with the competition if not higher. 

5.  The author of the original piece that you based your whole argument on is well known in blogs and social media for his out of place use of wording to try to amplify his opinions/claims;  same as what he did with that piece about Linux not being a secure system and it's as bad or even worse that Windows when it comes to security!  "Light years ahead/behind" is a good example of such exaggeration.

6.  Thanks for the good technical info provided; but all the mentioned points together does not add up to "light years".